data.coop/ansible
8
3
Fork 7
Code Issues 49 Pull requests 9 Projects 1 Releases Wiki Activity

Forgejo/Gitea Actions #206

New issue
Open
opened 2024-03-08 14:44:56 +00:00 by benjaoming · 8 comments
benjaoming commented 2024-03-08 14:44:56 +00:00
Owner
Copy link

Since Gitea 1.19, Gitea introcuded Gitea Actions. It's the same concept as GitHub Actions.

They're the called Forgejo Actions in Forgejo. You can see Forgejo Actions in action here:

https://codeberg.org/forgejo/forgejo/actions/runs/7849/jobs/1

Release notes from March 2023: https://blog.gitea.com/release-of-1.19.0/

Since Gitea 1.19, Gitea introcuded Gitea Actions. It's the same concept as GitHub Actions. They're the called Forgejo Actions in Forgejo. You can see Forgejo Actions in action here: https://codeberg.org/forgejo/forgejo/actions/runs/7849/jobs/1 Release notes from March 2023: https://blog.gitea.com/release-of-1.19.0/
benjaoming added the
Service Idea
Existing Service
Service Removal
Upgrade service
 labels 2024-03-08 14:44:56 +00:00
valberg commented 2024-03-08 16:04:43 +00:00
Owner
Copy link

Yeah, we actually "just" need to register some runners.

Yeah, we actually "just" need to register some runners.
valberg commented 2024-03-08 16:05:19 +00:00
Owner
Copy link

https://forgejo.org/docs/next/admin/actions/#forgejo-runner

https://forgejo.org/docs/next/admin/actions/#forgejo-runner
samsapti commented 2024-03-08 20:11:50 +00:00
Owner
Copy link

Seconded! In that case, and since we're gonna be using VMs, why not set up a dedicated runner VM with rootless Docker? That way, we can avoid it having access to our production Docker socket.

https://gitea.com/gitea/act_runner/src/branch/main/examples/vm/rootless-docker.md

Seconded! In that case, and since we're gonna be using VMs, why not set up a dedicated runner VM with rootless Docker? That way, we can avoid it having access to our production Docker socket. https://gitea.com/gitea/act_runner/src/branch/main/examples/vm/rootless-docker.md
👍 1
samsapti added this to the Devops work project 2024-03-08 20:26:40 +00:00
reynir commented 2024-03-08 20:32:31 +00:00
Owner
Copy link

yea it's been a bit iffy our current setup. especially considering the cryptojacker some years ago :(

yea it's been a bit iffy our current setup. especially considering the cryptojacker some years ago :(
👍 1
valberg commented 2024-03-08 22:59:03 +00:00
Owner
Copy link

Seconded! In that case, and since we're gonna be using VMs, why not set up a dedicated runner VM with rootless Docker? That way, we can avoid it having access to our production Docker socket.

https://gitea.com/gitea/act_runner/src/branch/main/examples/vm/rootless-docker.md

How is this different from the Forgejo docs (https://forgejo.org/docs/next/admin/actions/#forgejo-runner)? Emphasis is mine:

Installation of the OCI image

The OCI images are built from the Dockerfile which is found in the source directory. It contains the forgejo-runner binary.

$ docker run --rm code.forgejo.org/forgejo/runner:3.0.0 forgejo-runner --version
forgejo-runner version v3.0.0

It does not run as root:

$ docker run --rm code.forgejo.org/forgejo/runner:3.0.0 id
uid=1000 gid=1000 groups=1000

A docker-compose example is provided to demonstrate how to install that OCI image to successfully run a workflow.

> Seconded! In that case, and since we're gonna be using VMs, why not set up a dedicated runner VM with rootless Docker? That way, we can avoid it having access to our production Docker socket. > > https://gitea.com/gitea/act_runner/src/branch/main/examples/vm/rootless-docker.md How is this different from the Forgejo docs (https://forgejo.org/docs/next/admin/actions/#forgejo-runner)? Emphasis is mine: > Installation of the OCI image > > The OCI images are built from the Dockerfile which is found in the source directory. It contains the forgejo-runner binary. > > $ docker run --rm code.forgejo.org/forgejo/runner:3.0.0 forgejo-runner --version > forgejo-runner version v3.0.0 > > **It does not run as root:** > > $ docker run --rm code.forgejo.org/forgejo/runner:3.0.0 id > uid=1000 gid=1000 groups=1000 > > A docker-compose example is provided to demonstrate how to install that OCI image to successfully run a workflow.
samsapti commented 2024-03-16 21:22:05 +00:00
Owner
Copy link

The process inside the container does not run as root, but it still has access to the Docker socket (on our production VM!), unless we opt to use Docker-in-Docker which is also insecure due to the Docker-in-Docker container being privileged. In that case, the runner has access to the Docker socket of a priviliged container, which effectively grants it root access to that container, which in turn gives root access to the host due to said container being privileged. I don't really like that to be honest. That's why I suggest a dedicated runner VM where we run the Docker daemon itself as an unprivileged user (rootless Docker).

The process inside the container does not run as root, but it still has access to the Docker socket (on our production VM!), unless we opt to use Docker-in-Docker which is also insecure due to the Docker-in-Docker container being privileged. In that case, the runner has access to the Docker socket of a priviliged container, which effectively grants it root access to that container, which in turn gives root access to the host due to said container being privileged. I don't really like that to be honest. That's why I suggest a dedicated runner VM where we run the Docker daemon itself as an unprivileged user (rootless Docker).
valberg commented 2024-03-16 21:36:21 +00:00
Owner
Copy link

Fair enough - but we're not talking about running act_runner are we?

Fair enough - but we're not talking about running act_runner are we?
samsapti commented 2024-03-31 01:35:00 +00:00
Owner
Copy link

No, we're gonna run the official Forgejo runner, but that uses a soft fork of act_runner.

Btw, I'm working on the rootless Docker setup over in proxmox.

No, we're gonna run the official Forgejo runner, but that uses a soft fork of act_runner. Btw, I'm working on the rootless Docker setup over in [proxmox](https://git.data.coop/data.coop/ansible/src/branch/proxmox).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
reynir-patch-1
proxmox
diun
use_sudo
woodpeckerci
linting
mailman
listmonk
sshd-password
No results found.
Labels
Clear labels   
Blocked

Something is blocking progress

  
Existing Service

Issues/improvements regarding existing services

  
Infrastructure Issue

Infrastructure issue that needs investigation or time to fix

  
Refactor

Refactoring of files / file structure or other improvements

  
Security Hardening

Non-verified / non-critical security improvements

  
Security Issue

Urgent security issue that needs to be fixed ASAP

  
Service Idea

Ideas for new services

  
Service Removal

Removal of services for one reason or another

  
Upgrade service
No labels
Blocked
Existing Service
Infrastructure Issue
Refactor
Security Hardening
Security Issue
Service Idea
Service Removal
Upgrade service
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Devops work
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: data.coop/ansible#206
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?